Question
I'm writing a totally non-blender related python script, and I noticed Blender has implemented a solution to a problem I was having.
I'm trying to input a python expression to the program, currently using the eval() function. Yet this isn't good security practice. Refer to this question for more information. Note that I need operator not to be blocked so ast.literal_eval() can't be used.
Here Blender comes in. This answer demonstrates a feature in Blender called a scripted python expression box in the driver panel. It achieves exactly what I want my python script to do. I downloaded the blender source to reverse engineer it, but its all C++ not python (even though the expression is evaluated using python syntax).
How is this achieved?
Solution
Blender is effectively using eval() and has no attempt at making the expression secure
(Lookup sandboxing CPython, its not trivial).
This is why Blend files have an option Trusted Source, for more details see:
http://wiki.blender.org/index.php/Doc:2.6/Manual/Extensions/Python/Security
For the C code, see BPY_driver_exec
https://developer.blender.org/diffusion/B/browse/master/source/blender/python/intern/bpy_driver.c$172
https://stackoverflow.com/questions/23494462
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian